【原創】kubernetes部署高可用Harbor

時間 2019-11-14

標籤原創 kubernetes 部署可用 harbor 简体版

原文原文鏈接

前言

本文Harbor高可用依照Harbor官網部署，主要思路以下，你們能夠根據具體狀況選擇搭建。node

部署Postgresql高可用集羣。（本文選用Stolon進行管理，請查看文章《kubernetes下Stolon部署高可用Postgresql》）
部署redis高可用集羣。（本文選用Helm對redis進行高可用部署，請查看文章《kubernetes部署高可用redis》，該文以整理好redis編排文件可直接使用）
部署Harbor高可用集羣。（本文主要闡述Harbor的高可用部署，爲《kubernetes搭建Harbor無坑及Harbor倉庫同步》補充部分，請先行閱讀）nginx

1、Harbor部署前準備

本文僅說明高可用配置，其他部署請查看《kubernetes搭建Harbor無坑及Harbor倉庫同步》git

.安裝方式
helm安裝
直接使用博主整理好的編排文件安裝（經過Helm生成）github

1.helm安裝

安裝Helm請查看《kubernetes搭建Harbor無坑及Harbor倉庫同步》，其中包含Helm安裝。redis

1.1.下載 harbor-helm

git clone https://github.com/goharbor/harbor-helm.git
cd XXX/harbor-helm

1.2.修改value.yaml

database的Postgresql配置sql

database:
  # if external database is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: external
  internal:
    image:
      repository: goharbor/harbor-db
      tag: v1.8.2-dev
    # The initial superuser password for internal database
    password: "changeit"
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "stolon-proxy-service" #管理postgresql的stolon的service，由於都在Pod中可相互訪問
    port: "5432"
    username: "postgres"
    password: "password1"
    coreDatabase: "registry"
    clairDatabase: "clair"
    notaryServerDatabase: "notaryserver"
    notarySignerDatabase: "notarysigner"
    sslmode: "disable"
  ## Additional deployment annotations
  podAnnotations: {}

redis的配置docker

redis:
  # if external Redis is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: external
  internal:
    image:
      repository: goharbor/redis-photon
      tag: v1.8.2-dev
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "10.8.4.133" #haproxy的地址經過haproxy管理redis集羣
    port: "6379"
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    password: ""

修改Harbor其餘組件replicas(副本數)數據庫

# 例如nginx的副本數更改
nginx:
  image:
    repository: goharbor/nginx-photon
    tag: v1.8.2-dev
  replicas: 3

1.3.準備Harbor所需的registry、notarysigner、notaryserver、clair數據庫，Harbor會自動在其中建表。

執行sql語句腳本，供stolon-init-database-job.yaml使用vim

cat <<EOF > ./postgresql.sh
#!/bin/bash

host="stolon-proxy-service"
user="postgres"
db="postgres"
export PGPASSWORD="password1"

args=(
        # force postgres to not use the local unix socket (test "external" connectibility)
        --host "$host"
        --username "$user"
        --dbname "$db"
        --quiet --no-align --tuples-only
)

if select="$(echo 'SELECT 1' | psql "${args[@]}")" && [ "$select" = '1' ]; then
   echo "====notaryserver==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-notaryserver.sql"
   echo "====notarysigner==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-notarysigner.sql"
   echo "====registry==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-registry.sql"
   echo "====clair==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-clair.sql"   
   exit 0
fi
exit 1
EOF

建立registry數據庫api

cat <<EOF > ./initial-registry.sql
CREATE DATABASE registry ENCODING 'UTF8';
\c registry;
CREATE TABLE schema_migrations(version bigint not null primary key, dirty boolean not null);
EOF

建立notaryserver數據庫

cat <<EOF > ./initial-notaryserver.sql
CREATE DATABASE notaryserver;
CREATE USER server;
alter user server with encrypted password 'password';
GRANT ALL PRIVILEGES ON DATABASE notaryserver TO server;
EOF

建立notarysigner數據庫

cat <<EOF > ./initial-notarysigner.sql
CREATE DATABASE notarysigner;
CREATE USER signer;
alter user signer with encrypted password 'password';
GRANT ALL PRIVILEGES ON DATABASE notarysigner TO signer;                                                           
EOF

建立clair數據庫

cat <<EOF > ./initial-clair.sql
CREATE DATABASE clair;
EOF

建立一個job的yaml（stolon-init-database-job.yaml），用於建立數據庫，注意更改腳本的掛載位置，並複製腳本到各個節點或爲node和yaml加上nodeselect標籤，只在當前標籤node下複製腳本

apiVersion: batch/v1
kind: Job
metadata:
  name: stolon-init-database-job
spec:
  template:
    spec:
      containers:
      - name: stolon-proxy
        image: sorintlab/stolon:master-pg10
        command:
          - "/bin/bash"
          - "/docker-entrypoint-initdb.d/postgresql.sh"
        volumeMounts:
        - mountPath: /docker-entrypoint-initdb.d
          name: database
      restartPolicy: OnFailure     #失敗重啓
      volumes:
        - name: database
          hostPath:
            path: /root/tmp/harbor/stolon/examples/kubernetes/sql
  activeDeadlineSeconds: 600   #10分鐘沒有complete，再也不重啓並移除Pod

1.3.部署Postgresql、redis

按照《kubernetes下Stolon部署高可用Postgresql》部署Postgresql，注意加入stolon-init-database-job.yaml。
按照《kubernetes部署高可用redis》部署redis，以後用haproxy管理redis集羣（不可直接使用redis的service暴露，service會訪問到slave節點，redis副本是隻讀不可寫的，在harbor中會有報錯）
部署haproxy
1. 安裝haproxy
  yum -y install haproxy
  cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg-back
  vim /etc/haproxy/haproxy.cfg
2. 加入配置

defaults REDIS
mode tcp
timeout connect 1m
timeout server 6m
timeout client 6m

frontend ft_redis
 bind 0.0.0.0:6379 name redis
 default_backend bk_redis

backend bk_redis
 option tcp-check
 tcp-check connect
 tcp-check send PING\r\n
 tcp-check expect string +PONG
 tcp-check send info\ replication\r\n
 tcp-check expect string role:master
 tcp-check send QUIT\r\n
 tcp-check expect string +OK
 server R1 redis-0.redis-headless.default.svc.cluster.local:6379 check inter 1s
 server R2 redis-1.redis-headless.default.svc.cluster.local:6379 check inter 1s
 server R3 redis-2.redis-headless.default.svc.cluster.local:6379 check inter 1s

listen admin_stats
        stats   enable
        bind    *:9090
        mode    http
        option  httplog
        log     global
        maxconn 10
        stats   refresh 30s
        stats   uri /admin 
        stats   realm haproxy
        stats   auth admin:admin
        stats   hide-version 
        stats   admin if TRUE

systemctl start haproxy && systemctl enable haproxy && systemctl status haproxy
訪問 harbor節點Ip:9090/admin如圖所示，便成功

⚠️k8s master節點高可用可閱讀《haproxy+keepalive實現master集羣高可用》

1.4.部署Harbor

安裝harbor並將日誌寫入文件，可編輯文件保留.yaml編排文件，以便之後使用

helm install . --debug --name hub |sed 'w harbor.yaml'

或執行如下命令，編排chart不執行，做用生成編排文件，刪除多餘部分，進行使用

helm install . --debug --dry-run --name hub |sed 'w harbor.yaml'

2.經過整理好的編排文件執行

連接:https://pan.baidu.com/s/1cr1fnWGHc-70HAxx1YH4kg 密碼:21a8 直接使用這個編排文件可能會有問題，最好勤勞如下使用helm跑，也可避免更改配置遺漏或錯誤的問題，適用用於實驗，如若搭建請注意修改Volum、requestsource等Pod設置

相關標籤/搜索

gitlab+jenkins+harbor+kubernetes

gitlab+harbor+jenkins+kubernetes

jenkins+kubernetes+harbor+gitlab

kubernetes+lnmpw+nfs+harbor

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。